Front page
Archive

Bookmark and Share


About Dave Kearns

follow me on Twitter

Dave's Other Musings


IdM Journal
Wired Windows

Dave Kearns' Fusion newsletters on:
Identity Management
Windows Networking
NetWare

Technorati Profile

 

Wednesday, May 18, 2005

Posted 2:17 PM

The Wandering Mind wonders...

James Van Kessel makes an important point about one aspect of the 7 laws.

Where Kim states (in discussing "Advantages of a claims-based definition"): "...within a given context, identities have to be unique. Many early systems were built with this assumption, and it is a critically useful assumption in many contexts. The only error is in thinking it is mandatory for all contexts." (The Laws of Identity, page 5)

James replies:

Maybe it's my enterprise mentality but even if I can't determine which specific person is the user uniquely, I still want to have a unique and consistent identifier for the user in MY service's context. By not doing so, it can be difficult to track, support and understand the users' experiences over time at the service.


Not only can't I disagree with Van Kessel but I'm even more emphatic that each identity must be unique within every contect in which it exists - or it isn't a valid identity. If there's a possibility that a given identity can apply to two or more objects then the system is not only flawed, but worthless.

Cameron cites as an example:

... consider the relationship between a company like Microsoft and an analyst service that we will call Contoso Analytics. Let's suppose Microsoft contracts with Contoso Analytics so anyone from Microsoft can read its reports on industry trends. Let's suppose also that Microsoft doesn't want Contoso Analytics to know exactly who at Microsoft has what interests or reads what reports.
In this scenario we actually do not want to employ unique individual identifiers as digital identities. Contoso Analytics still needs a way to ensure that only valid customers get to its reports. But in this example, digital identity would best be expressed by a very limited claim - the claim that the digital subject currently accessing the site is some Microsoft employee. Our claims-based approach succeeds in this regard. It permits one digital subject (Microsoft Corporation) to assert things about another digital subject without using any unique identifier.


But within the context of Contoso Analytics, the object "Microsoft" has a unique identity, and as far as this context is concerned, the persons posing as (or acting on behalf of, if you prefer) Microsoft have no stannding at all - they aren't objectified so there's no need for them to be identified. However, in the context of "Microsoft" there is an object uniquely identifiable for each person and each of these objects are granted the role of "Contoso client" with the identity of "Microsoft".

Context is extremely important to identity, it is a necessary component of identity and it's absolutely essential that we realize the context in which a given identity is existing and that the identity have a unique identifier within that contextual system.
Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved

Home

[Powered by Blogger]

-->